This page explains how to configure an existing container registry server for Google Distributed Cloud (software only) for VMware.
This page is for Admins, Architects, and Operators who set up, monitor, and manage the tech infrastructure. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE user roles and tasks.
Overview
By default during cluster creation or upgrade, Google Distributed Cloud pulls system
images from gcr.io/gke-on-prem-release using the
component access service account.
Optionally, you can provide your own container registry server so that
system images are pulled from your private registry server instead.
Google Distributed Cloud doesn't support unsecured container registries. When you start your container registry server, you must provide a certificate and a key. The certificate can be signed by a public certificate authority (CA), or it can be self-signed.
Create a container registry server
To learn how to create a container registry server, see Run an externally-accessible registry in the Docker documentation.
Configure the registry
To use a private container registry, you can use either the gkectl
command-line tool or Terraform.
gkectl
- Add the - privateRegistrysection to the admin cluster configuration file before creating the cluster.- When this section is filled in: - When you run the - gkectl preparecommand before cluster creation or upgrade, the command extracts the images from the tar file that is specified in the- bundlePathfield in your admin cluster configuration file and pushes the images to your private registry server.
- During cluster creation or upgrade, the system images are pulled from your private registry server. 
 
- If your network is behind a proxy server, fill in the - proxysection.
Terraform
- Follow the steps in the Terraform tab in Create an admin cluster to fill in your admin cluster configuration file.
- Add the following to the admin cluster configuration file: - private_registry_config { address = "ADDRESS" ca_cert = "CA_CERT" }- Replace the following: - ADDRESS: the IP address or FQDN (Fully Qualified Domain Name) of the machine that runs your private registry.
- CA_CERT: the CA certificate data of the public key for the private registry in PEM format. To get the CA certificate in the required format, do the following steps:
 - Run the following command: - cat PUBLIC_KEY_PATH | tr '\n' '\\n' - Replace - PUBLIC_KEY_PATHwith the path to the public key.
- Copy the certificate that was output from the previous command and paste it into a text editor. Replace all instances of the backslash character (\) to a newline character (\n). 
- Copy the modified certificate and paste it into the - CA_CERTplaceholder variable.
 
- If your network is behind a proxy server, add the following: - proxy { url: "PROXY_SERVER_ADDRESS" no_proxy: "BYPASS_LIST" }- Replace the following: - PROXY_SERVER_ADDRESS: the HTTP address of your proxy server. Include the port number even if it's the same as the scheme's default port.
- BYPASS_LIST: a comma-separated list of IP addresses, IP address ranges, host names, and domain names that shouldn't go through the proxy server.
 - Example: - url: "http://my-proxy.example.local:80" no_proxy: "192.0.2.0/24,my-host.example.local,198.51.100.0"- When Google Distributed Cloud sends a request to one of these addresses, hosts, or domains, the request bypasses the proxy server and is sent directly to the destination. 
- Continue with the steps in the Terraform tab in Create an admin cluster to verify the Terraform configuration file and plan and then create the bootstrap cluster. 
- When you run the - gkectl register bootstrapcommand,- gkectlprompts you to enter the username and then the password for the private registry.
During cluster creation, the system images are pulled from your private registry server.
Limitations with advanced clusters and the full bundle
There are two Google Distributed Cloud bundles available: full and regular. To determine
which bundle is on your admin workstation, check the bundlePath field in your
admin cluster configuration file. If the filename ends in -full, the full
bundle is on your admin workstation. If the filename doesn't end in -full, the
regular bundle is on your admin workstation.
If you created your admin workstation using the gkeadm command, the command
creates the admin workstation VM with the full bundle on it, and configures the
bundlePath field in the admin cluster configuration file.
If advanced cluster is enabled, there are limitations with using the full bundle with a private registry, as follows:
- Version 1.31: the full bundle isn't supported with a private registry. To use a private registry on an advanced cluster: - Download the regular size bundle to your admin workstation.
- Update the filename in the bundlePathfield in the admin cluster configuration file.
 
- Version 1.32: using the full bundle is supported, but the - gkectl preparecommand pulls images from- gcr.io/gke-on-prem-releaseinstead of the tar file. The command does, however, push the images to your private registry so that the system images are pulled from your private registry during cluster creation or upgrade.
Differences between normal clusters and advanced clusters
Advanced cluster introduces several key differences compared to standard clusters:
- When you use a private registry, images appear to pull from gcr.io, not the hostname of your private registry. This change is expected, even though images actually pull from your private registry server.
- Image pulls use credentials from the /etc/containerd/config.tomlfile in each machine that connects to the private registry, instead of from theprivate-registry-credssecret inside the cluster.
- For all gcr.ioimages, the cluster first tries to pull from the private registry. If the image isn't in the private registry, the system pulls it fromgcr.ioover the internet. To stop this fallback, set upnoProxyor use firewall rules to blockgcr.iotraffic.
To check that images pull from the correct source, see Verify images are pulled from your registry server.
Verify images are pulled from your registry server
How you verify that images are being pulled from your registry server depends on whether advanced cluster is enabled.
- If advanced cluster isn't enabled, run the following command: - kubectl --kubeconfig ADMIN_CLUSTER_KUBECONFIG get pods \ --all-namespaces -o jsonpath="{.items[*].spec['initContainers', 'containers'][*].image}"- Replace - ADMIN_CLUSTER_KUBECONFIGwith the path of the kubeconfig file for your admin cluster.- The output of this command displays all the images in your cluster. You can verify that all the Google Distributed Cloud images are from your own registry server. 
- If advanced cluster is enabled, do the following steps: - You can determine whether - containerdis pulling images from your local registry by examining the contents of a file called- config.tomlas shown in the following steps:- Log into a node and examine the contents of the file
/etc/containerd/config.toml.
- Check the - plugins."io.containerd.grpc.v1.cri".registry.mirrorsfield of the- config.tomlfile to see whether your registry server is listed in the- endpointfield.- The following is an excerpt from an example - config.tomlfile.- version = 2 root = "/var/lib/containerd" state = "/run/containerd" ... [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.configs] [plugins."io.containerd.grpc.v1.cri".registry.configs."gcr.io"] [plugins."io.containerd.grpc.v1.cri".registry.configs."privateregistry2.io".tls] ca_file = '/etc/containerd/certs.d/privateregistry2.io/ca.crt' [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."gcr.io"] endpoint = ["http://privateregistry.io", "http://privateregistry2.io"] ...
- If your registry mirror appears in the - endpointfield, then the node is pulling images from your registry mirror rather than from Artifact Registry.
 
- Log into a node and examine the contents of the file